Recent high profile cyber-attacks have forced company boards to think much harder about the security of their customers’ information. IT security is no longer just about locking down networks. Hackers are more sophisticated than ever and government legislation now requires organisations to report when data breaches do occur.
Technology chiefs gathered in Brisbane recently to discuss how they are improving their cyber resilience and preparing for the inevitable data breach and the fallout that follows. After all, how a company responds to a breach and the leaking of private customer information is just as important as making sure the right security technology has been deployed. The roundtable luncheon was sponsored by Juniper and Communications Design & Management (CDM).
Juniper Networks Australia systems engineering senior manager, James Sillence, says since February this year, there has been a statutory obligation for an organisation to notify a data breach as part of its response to an incident.
“However, what is critically important following any data loss is for an organisation to thoroughly review its people, process and technology in view of that loss. If we are not using a data breach to identify weaknesses in our defences, we are wasting a valuable opportunity to improve,” he says.
“Reputational damage in the aftermath of a data breach can be disastrous. However, how an organisation responds to the breach can have a large influence on the scale of the disaster.”
Communications Design & Management (CDM) managing director, Ralph Nash, adds that data integrity is critical to business success and, for many organisations, reputational damage can have a huge and potentially fatal impact.
“This can be minimised by having a plan and executing it well,” Nash says. “Taking steps to lessen the impacts of a data breach before the breach occurs is an essential part of the overall plan.
“Those steps should mirror the diligence applied to sourcing any new security platform – research, testing, evaluation, training, ongoing management and continual improvements. Prevention is better than having to apply a fix, however, both need time and investment and both need approved solutions in place.”
According to ERM Power chief information officer at ERM Power, Derek McKay, competent organisations use effective enterprise risk management systems to deal with a range of material operational risks. He says the management of cyber security should fit within an enterprise risk management framework with the risk appetite for the organisation clearly understood.
“Ultimately, it is not just about having the right security technology – such as managing safety within the workplace. An effective cyber security posture, inclusive of managing private information, requires an understanding that managing risk is everybody’s responsibility.
“If an organisation thinks their data is being protected just through having the right technology, then they are missing the human element of risk management,” McKay says.
Another attendee, a CIO in the healthcare sector, says an organisation’s response to a data breach and the leaking of private customer information is important because consumers need to trust and have confidence in a brand.
“I would want to know that if something untoward happened, that the organisation I have trusted with my personal data is honest and willing enough to admit a breach and deal with it effectively rather than pushing it under the covers,” she says.
Cyber a balancing act
Cyber security is a balancing act – it’s about deploying resources, technology and people in the right measure to thwart adversaries, according to Juniper’s Sillence.
Three things are beginning to have a significant impact on the balance: the bad guys are getting smarter and more efficient; security professionals are becoming scarce and expensive; and environments are getting more difficult to defend as the perimeter disappears and the attack surface becomes wider.
“This situation isn’t going to change but we have the opportunity to redress the balance in a number of ways,” he says. “Firstly, by using automation and machine learning to address the skills gap and bring a machine-based response to a machine-based attack. Secondly, by recognising the perimeter is now difficult to define and effective network security means security is built-in to every point of the network not a bolt-on, point product. Lastly, by getting an attack surface back under control – removing unnecessary application traffic and implementing network-level access controls to critical systems.”
Provided the key security elements are in place and IT infrastructure is managed well, the number one threat remains internal staff, CDM’s Nash says.
“Training would be the obvious answer, however, applications are evolving to address user behaviour. I see continuing growth in this area with the industry investing in significant application development to bring automation and AI experience to the IT operators,” he says.
“The term is ‘software-defined’ and it is programming that allows business-focused executives to manage wide-scale networks and execute complex network security changes without the need for highly technical operators to be involved.”
The healthcare CIO agrees the biggest threat is the company’s own staff – keeping them abreast of threats and how they should and shouldn’t respond is a constant battle.
“Boredom starts to creep in once the hype of cyber-attacks in the news becomes a constant message. Then our people don’t read the latest information on threats, aren’t as vigilant in their responses and you have a perfect storm happening. How to keep the topic relevant, engaging and interactive is going to be every CIO’s challenge.”
Success is limited
Organisations are having more success in identifying threats than they have in the past but when identification occurs, being able to react in time remains problematic, Ralph Nash says.
“Many organisations now look more broadly at their risk profile and possible threats than before. The experience and seeing what has happened to others has helped this along. Many tools are focused on reviewing logs and providing reports for system engineers to take action.
“Applications that can review logs, diagnose incidents and initiate changes are still out of the reach of most businesses as they take time to design and implement. The software-defined world is changing this.”
Juniper’s Sillence adds organisations have largely focused on protecting their perimeter. When the perimeter is breached, it can take many months for an attack to be discovered – this is called ‘dwell time’.
“Unfortunately, the dwell time has not been reducing significantly, an indication that we aren’t getting any better at identifying attacks,” he says. “This situation is exacerbated in a country such as Australia. We have a highly developed digital economy which makes us a ripe hunting ground for attackers, yet organisations don’t have the size and scale to warrant dedicated security teams – security is just another function of the IT team.”
ERM Power’s McKay says his organisation has a proactive process of regular penetration tests on new software developments. “The outputs of these tests form part of the continual improvement program, including education programs for our staff in a popular ‘lunch and learn’ format that builds on the output of our social engineering testing.
“The board is keenly interested in cyber security and it is an item on the agenda for the enterprise risk committee and the board audit and risk committee with regular ‘deep dives’ into ERM Power’s cyber security planning,” he says.
Visit the Juniper website for more information.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.